Upload
rhona
View
40
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Project Shibboleth Update, Demonstration and Discussion. Michael R Gettes Duke University ([email protected]) (on behalf of the entire shib team!!!) June 5, 2003 @ CAMP. Shibboleth. - PowerPoint PPT Presentation
Citation preview
Project ShibbolethUpdate, Demonstration and Discussion
Project ShibbolethUpdate, Demonstration and Discussion
Michael R GettesDuke University ([email protected])
(on behalf of the entire shib team!!!)
June 5, 2003 @ CAMP
Michael R GettesDuke University ([email protected])
(on behalf of the entire shib team!!!)
June 5, 2003 @ CAMP
2
Shibboleth
A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce sh, called the word sibboleth. See --Judges xii.
Hence, the criterion, test, or watchword of a party; a party cry or pet phrase.
- Webster's Revised Unabridged Dictionary (1913):
3
Stage 1 - Addressing Three Scenario’s
Member of campus community accessing licensed resource• Anonymity required
Member of a course accessing remotely controlled resource• Anonymity required
Member of a workgroup accessing controlled resources• Controlled by unique identifiers (e.g. name)
Taken individually, each of these situations can be solved in a variety of straightforward ways.
Taken together, they present the challenge of meeting the user's reasonable expectations for protection of their personal privacy.
4
Establishing a User Context
5
Getting Attributesand Determining Access
2003 © SWITCH 6
Shibboleth AA ProcessR
esou
rce
WAYF
Users Home Org Resource Owner1
SHIRE
I don’t know you.Not even which home
org you are from.I redirect your request
to the WAYF32
Please tell me where you come from
HS
5
6
I don’t know you.Please authenticate
yourself
7
User DB
Credentials
OK, I know you now.I redirect your requestto the target, together
with a handle
4
OK, I redirect yourrequest now to
the Handle Service of your home org.
SHAR
Handle
Handle8
I don’t know theattributes of this user.Let’s ask the Attribute
Authority
Handle9AA
Let’s pass over the attributes the userhas allowed me to
release
Attributes 10
Reso
urce
Man
ager
Attributes
OK, based on theattributes, I grant
access to the resource
7
Shibboleth Architecture
8
Target Web
Server
Origin Site Target Site
Browser
Shibboleth Architecture -- Managing Trust
TRUST
AttributeServer
Shibengine
9
Milestones
Project formation - Feb 2000 Stone Soup
Process - began late summer 2000 with bi-weekly calls to develop scenario, requirements and architecture.
Linkages to SAML established Dec 2000
Architecture and protocol completion - Aug 2001
Design - Oct 2001
Coding began - Nov 2001
Alpha-1 release – April 24, 2002
OpenSAML release – July 15, 2002
v0.7 Shibboleth released Nov 25, 2002
v0.8 March 1, 2003
v1.0 May 2003 (end of month)
v1.1 conversations ruminating; v1.2 may be the plateau
10
Code status
v0.8 released March 2003 (coding teams – MIT, Columbia, Ohio State, CMU); v1.0 due out April 10
v0.7 much easier to install than alpha’s. C/C++ only on origin. Java still on target. Relatively safe to deploy and experiment
Release issues – platform dependencies, fragile Apache components, binaries vs source, etc…
v0.7 to v0.8
new features – ARP’s redone, added robustness
timeframes – march 1, 2003 general release
V0.8 to 1.0 – SAML 1.1 support, bug fixes and re-packaging
V1.0 -- REAL SOON NOW!!!
11
Course ManagementEarly Adopters
WebCT
Webassign
Blackboard (Demonstrated April, 2003)
OKI
12
The Library Pilots
•Explore and Evaluate the utility of the Shibboleth model (attributes) for controlling access to licensed resources
•Identify problems and issues with this approach• How well do existing licenses map to attributes?• Library “walk-in” customers
•Identify and address Shib deploy issues for campuses AND for vendors
•Explore new possibilities, including role-based access controls
13
Campus Participants
Carnegie Mellon
Columbia
Dartmouth
Georgetown
London School of Economics
New York Unv.
Ohio State
Others coming on
Penn State
U. Colorado
U. Michigan
U. Washington
U. Wisconsin - Madison
UCOP (U. California System)
U.Texas Health Science Center
at Houston
14
Vendor Participants
EBSCO
~ Elsevier
OCLC
Sfx (Ex libris)
JSTOR
McGraw Hill eBooks
Innovative (III)
Consortial efforts: WRLC, Athens, …
15
Shibboleth Deployment Issues
Access Issues
Kiosks and walk-ins
logins for on-campus use
Licensing issues
reconciling license structures with directory structures
system and consortial issues
mitigating disintermediation
Functional issues
handling Shibbed and non-Shibbed resources
roll-out strategies
entitlements vs attributes
what attributes to pass
how to structure the attribute name space
16
A Quick Demonstration
A Shib Demo
QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture.
17
Next steps
Convergence with other efforts (PAPI, Permis, A-Select, etc)
Shibboleth used as a WebISO solution, the N-Tier problem
What is a Federation? How do we define it?
Sub-Fed, Fed Clusters, Super Federations
Shibboleth the architecture vs Shibboleth the web service
Shibboleth the technology vs Club Shib the trust model
Federated Digital Rights Management
Federated P2P
Privacy Management Systems – see http://www.ischool.washington.edu/shibbui/index.html
Personal Information Managers – see http://www.brown.edu/cgi-bin/httool.epl
18
Personal Resource Manager
19
Privacy Management Systems
20
eduPersonEntitlementA Small Directory Issue
eduPersonEntitlement• Values of eduPersonEntitlement can be URLs or
URNs– http://www.w3.org/Addressing/– RFC2396 Uniform Resource Identifiers– RFC2141 Uniform Resource Names
• URNs to allow federation of name creation without name clashes.– urn:mace:brown.edu:foo
• [email protected] for information on URN registration
21
Overall Trust Fabric